Blogs

Events

Stories

Attention: RHN Hosted will reach the end of its service life on July 31, 2017.
Customers will be required to migrate existing systems to Red Hat Subscription Management prior to this date.
Learn more here

Details

Updated kdelibs packages that fix a flaw in cookie path handling are nowavailable.

Konqueror is a file manager and Web browser for the K Desktop Environment(KDE).

Flaws have been found in the cookie path handling between a number of Webbrowsers and servers. The HTTP cookie standard allows a Web serversupplying a cookie to a client to specify a subset of URLs on the originserver to which the cookie applies. Web servers such as Apache do notfilter returned cookies and assume that the client will only send backcookies for requests that fall within the server-supplied subset of URLs.However, by supplying URLs that use path traversal (/../) and characterencoding, it is possible to fool many browsers into sending a cookie to apath outside of the originally-specified subset.

KDE version 3.1.3 and later include a patch to Konquerer that disables thesending of cookies to the server if the URL contains such encodedtraversals. Red Hat Enterprise Linux 2.1 shipped with KDE 2.2.2 andis therefore vulnerable to this issue.

Users of Konquerer are advised to upgrade to these erratum packages, whichcontain a backported patch for this issue.

Solution

Before applying this update, make sure all previously released erratarelevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only thoseRPMs which are currently installed will be updated. Those RPMs which arenot installed but included in the list will not be updated. Note that youcan also use wildcards (*.rpm) if your current directory *only* contains thedesired RPMs.

Please note that this update is also available via Red Hat Network. Manypeople find this an easier way to apply updates. To use Red Hat Network,launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriateRPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSLCertificate Errors, you need to install a version of theup2date client with an updated certificate. The latest version ofup2date is available from the Red Hat FTP site and may also bedownloaded directly from the RHN website: